Your message dated Fri, 15 Nov 2024 23:20:33 +0000
with message-id <[email protected]>
and subject line Bug#1087274: fixed in libxstream-java 1.4.21-1
has caused the Debian Bug report #1087274,
regarding libxstream-java: CVE-2024-47072
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1087274: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1087274
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libxstream-java
Version: 1.4.20-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 1.4.20-1
Hi,
The following vulnerability was published for libxstream-java.
CVE-2024-47072[0]:
| XStream is a simple library to serialize objects to XML and back
| again. This vulnerability may allow a remote attacker to terminate
| the application with a stack overflow error resulting in a denial of
| service only by manipulating the processed input stream when XStream
| is configured to use the BinaryStreamDriver. XStream 1.4.21 has been
| patched to detect the manipulation in the binary input stream
| causing the the stack overflow and raises an
| InputManipulationException instead. Users are advised to upgrade.
| Users unable to upgrade may catch the StackOverflowError in the
| client code calling XStream if XStream is configured to use the
| BinaryStreamDriver.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-47072
https://www.cve.org/CVERecord?id=CVE-2024-47072
[1] https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q
[2] https://x-stream.github.io/CVE-2024-47072.html
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libxstream-java
Source-Version: 1.4.21-1
Done: Pierre Gruet <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libxstream-java, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Pierre Gruet <[email protected]> (supplier of updated libxstream-java package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 15 Nov 2024 23:58:53 +0100
Source: libxstream-java
Architecture: source
Version: 1.4.21-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Pierre Gruet <[email protected]>
Closes: 1087274
Changes:
libxstream-java (1.4.21-1) unstable; urgency=medium
.
* Team upload
* New upstream version 1.4.21:
- Fixes CVE-2024-47072 (Closes: #1087274) This vulnerability may allow a
remote attacker to terminate the application with a stack overflow error
resulting in a denial of service only by manipulating the processed input
stream when XStream is configured to use the BinaryStreamDriver.
* Refreshing patches
Checksums-Sha1:
141009c6b9f359c80ffdf9bdced5e4fe993bf1b8 2343 libxstream-java_1.4.21-1.dsc
cff4e0d75b0ed4d4aa637d59d0dfba30e59bf354 484588
libxstream-java_1.4.21.orig.tar.xz
ae5e57a198d8b88a1a5fc6de4867d539e2220424 18676
libxstream-java_1.4.21-1.debian.tar.xz
6e9d1ee5156a2aa3c02daa221cdf3476640327a3 17751
libxstream-java_1.4.21-1_source.buildinfo
Checksums-Sha256:
37b0ab680922af192f5ff3c4c35124a412901e1bb34db2aaae82463a21a8b978 2343
libxstream-java_1.4.21-1.dsc
fbafcc79f0b666c92e2fb879629eb0634e8b3bdac411bf03c1d5deb435e7d3b5 484588
libxstream-java_1.4.21.orig.tar.xz
e6d4b093b1ecb0fd3a120447be7a9d3dbf0bae40ae9472f2c60fb46c990e9f71 18676
libxstream-java_1.4.21-1.debian.tar.xz
dd9cd203811683d490646e8ab36b7cd8cc60f5df49ea4e2cfd09e04f78bc6ac4 17751
libxstream-java_1.4.21-1_source.buildinfo
Files:
07dc6d87c73441870ffb67e6772d6986 2343 java optional
libxstream-java_1.4.21-1.dsc
8e42eee7f046c8b4f0c3e2832b851259 484588 java optional
libxstream-java_1.4.21.orig.tar.xz
320712e73dda3e1cd21537e916d44141 18676 java optional
libxstream-java_1.4.21-1.debian.tar.xz
12552efe77c3eb121ad10cdd28ddf88a 17751 java optional
libxstream-java_1.4.21-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEM8soQxPpC9J9y0UjYAMWptwndHYFAmc30ssACgkQYAMWptwn
dHZRZQ//Tp81wj0EYzp0lK4DV587/qzK6G20yIC+2jXoR/AKFMPYUE6crSyAEecy
//9RNCoQ2o7VnPYWM1R9H8S241PKDqTVoDVHasnWeUr7AbvJR9S3uNlXUjRuibjo
sgeKyYTv8104eU/SZ6RS+sYmRSdIu/WfxC0JTQUhtohvLgrMenYqWNLDva3enKU1
X9sSk+QCtmUSKpaOr6Es5MP4tkSUpO1SHadnTqQCsxJNBJI50fJwTIFWqQW7xn5m
OBNi/mAPms/akbhAk2RvWYdg7AN9yEFT64wawgSgZf7DphmVha8m63LKq9AZueyl
q5yiDqzQ48q+Zvp2DhLW/skvvc2aW3qc+NYxndd/ZRPEwu42v8dEOOxRgX5zK9NL
QbO4RwQjrQvpz15xTBwFiYG0ebHYwT3kx7W0KS5dR/gKqSNuI2afp+m9xvyr8nju
lEKgVDnnykiDYRoQBRfCF5x+ePXmSBO62Nn1stmtZkot8SkaWpbg1lCNMj4O1hHA
hbzhbKrddhv8LeSmzikMWzO4L3mKZzSX7x7n5cxO5LLw1hBNB9YIIvagq2IYtl99
kCKAfOD7GLOyY1f15LPLoVYMnQgrPL1QNSmfTcWW8jbBzLrI1cjDO95jdegcxLxq
rMlfOUGgnquEXSAFnhjykBlij5sDhuBtm+oSf/E13GceoFLZ7Oc=
=1wfB
-----END PGP SIGNATURE-----
pgpZqfZxxNy0Z.pgp
Description: PGP signature
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
